uer spiegei, uecemDer zui 3 

http://www.spiegel.de/netzwelt/netzpolitik/quantumtheory-wie-die- nsa-weltweit-rechner-hackt-a-9411 49.html 
http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-10532 
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(TS//SI//REL) Only R&T Analysts can submit QUANTUMTHEORY Tasking to the 
QUANTUM team, TOPI Analysts can submit QUANTUMNATION Tasking through 
Target Profiler. The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called VALIDATOR (soon to be COMMONDEER) and QUANTUMNATION deploys a 
stageO implant called SEASONEDMOTH (SMOTH). SMOTHs die within 30 days of 
deployment unless requested to extend the life. 

(TS//SI//REL) This presentation does not cover FAA QUANTUM, but if you identify an 
active selector, compare the SIGAD in Marina to the SIGAD on the GO QUANTUM wiki 
page to see if FAA QUANTUM is an option. 

(TS//SI//REL) This presentation is geared towards targets seen at US-HH. If you are 
unfamiliar with this SIGAD, it is equivalent to a TS//NF SIGAD that cannot be 
mentioned in this PowerPoint. You can contact the POC of this brief for more 
information. 



Web B POWSing (Exploit with QUANTUM 
• me concept man-on-the-side) 

• QUANTUM is a man-on-the-side capability. If your target has a selector 
that is active in the last 14 days, vulnerable to the QUANTUM technique, 
and seen by an SSO site that has QUANTUM capabilities, then there might 
be the opportunity to detect that communication in real-time and piggy 
back with the requested content back into the target's network and 
implant the host, 

• QUANTUMTHEORY can be used only if a TAO Project is set up (must 
coordinate with your R&T Analyst) 

• QUANTUM NATION can be used regardless of a TAO Project (TOPI does the 
tasking in Target Profiler) 

• The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called VALIDATOR (soon to be COMMONDEER) and QUANTUM NATION 
deploys a stageO implant called SEASONEDMOTH (SMOTH). SMOTHs die 
within 30 days of deployment unless requested to extend the life. The 
exploit technique is the same. 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




SSO Site 



What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1 Target logs into his 
Yahoo account 

% 

Target 




Yahoo's 
Web Server 




SSO Site 



What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1 Target logs into his 
^Yahoo account I nterne t Route r 

Yahoo's 

Tar & et Web Server 

SSO Site 

2, SSO site sees the 
QUANTUM tasked Yahoo 
selector's packet and forwards 
it to TAO's FOXACID Server 



What is QUANTUM? 



QUANTUM Generic Animation - High Level of How It Works 



4, Yahoo server receives the 
packet requesting email content 




TAO FOX ACID 
Server 

3. FOXACID injects a FOXACID url 
into the packet and sends it back to 
the target s computer 



What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



% 

Target 



6. The target's Yahoo webpage is 
loaded but in the background the 

FOXACID URL toads which 
redirects to the FOXACID Exploit 
Server. 



Internet Router 




sso site 



Yahoo's 
Web Server 



NSA 




TAO FOXACID 
Server 



I 



What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




IAO F OXACID 
Server 



7. If the browser is exploitable 
and the PSP is safe, FOX AC ID 
deploys a Stage 1 implant back 
to the target 



What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 
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QUANTUM Capabilities - NSA 

(TS//SI//REL) NSA QUANTUM has the greatest success against <yahoo>, <facebook>, 
and Static IP Addresses. New QUANTUM realms are often changing, so check the GO 
QUANTUM wiki page or the quantum Spy Space page to get more up-to-date news. 



NSA QUANTUM is capable of targeting the following realms: 


* * IPv4_public 


• mailruMrcu 


• * alibabaForumUser • msnMailToken64 


• • doubleclickID 


• qq 


- * emailAddr 


• facebook 


• * rocketmail 


• simbarUuid 


• * hiSUid 


• twitter 


• • hotmailCID 


* yahoo 


• * linkedin * 


yahooBcookie 


• • mail • 


ymail 


* • mailruMrcu 


• youTube 


• * msnMailToken64 * WatcherlD 




^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
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QUANTUMTHEORY - GCHQ 

If a Partnering Agreement Form (PAF) is set up with GCHQ for 
the CNO project, then the R&T Analyst can utilize GCHQ 
QUANTUMTHEORY to include additional capabilities such as: 

• • ALIBABA • AOL 

• • BEBO_EMAIL • DOUBLE_CLICK 

• • FACEBOOK_CUSER • GOOGLE PREFID 

• • GMAIL • HI5 

• • HOTMAIL • LINKEDIN 

• • MAILRU • MICROSOFT_MUID 

• • MICROSOFT_ANONA • RAMBLER 

• • RADIUS • SIMBAR 

• • TWITTER • YAHOO_B 

• • YAHOO_L/Y • YANDEX_EMAIL 

• • YOUTUBE • IP Address 



More information on: https://wiki.gchq/ 
If you cannot get to the link try: http:// ■ ■ 


■K2B 




/QUANTUM^BISCLMT 

B | 1 | V « Hi 
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QUANTUM SIGDEV - QFDs 

(TS//SI//REL) Find all Selectors associated to your target (Yahoo, 
Yahoo B Cookies, Facebook, Hotmail, etc) using Marina, NSA or 
GCHQ QFDs. 

NSA SATC QFDs: 



ALTEREGO QFD: 

GCHC 




Queried Selector 


Alternate Selector 


Queried 
Selector 
Degree 


Alternate 
Selector 
Degree 


Intersection 


Score 

|MQD| 






S 


2 


4a 








I 


I 


60 




439 


61 


S3 



DOG COLLAR QFD: 




Selector 


T|pe 


EnrichvmentValue 


Observations 


First StenDiiK 


litf to Date 


mm 


<fftce&oat> 








2012/M 





Skip to Step 5 once you have all of your selectors.,. 
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QUANTUM SIGDEV - Marina 

StCp 1: Skip to Step 5 if you used ttie QFDs to identify alternate selectors 

' (TS//SI//REL) If you do not use the GCHQ or NSAQFDs you can use Marina. Run a 
Marina Selector/Identifier Profile (Federated) search for a 3 month range to look for 
additional selectors. 
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* (TS//SI//REL) Once the query finishes, look at the Equivalent IDs section. This will show 
you other selectors that your target is using. This is determined by linking content 
(logins/email registrations/etc). It is worth verifying that these are indeed selectors 
associated to your target. NSA Quantum works best against <yahoo> and 
<facebook>. Although, it is worth making note of a <gmail> selector for possible GCHQ 
QUANTUM support or for your own notes. 



Itplettw StMitmary: <= 16 

W>-li i 'PKrtos: [I 

■ Iqutvolent IDs: S 

Pag* i oil 



New Selector 



Known Selector 
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he* an d 


«yah»> 
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K?s tfcjplay name 
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1 (TS//SI//REL) If your search was on a <yahoo> email address, then click on Machine 
IDs and look for a recent <yahooBcookie>, YahooBcookie's are unique to a specific 
computer and can hold other <yahoo> addresses that are being logged into on that 
computer as long as the user does not clear browser cookies. If you see multiple 
<yahooBcookie> pick the most recent Last Heard date. Also higher the Num Heard is, 
the more likely that selector does not change. 




jamursraisiw 



Millies inner 
MLLiiffiiOOiiffi 



Unique Selectors Found: 

l <vahoo> (Known Selector) 


7, 




■@gmail com<google> (New Selector) 


5 




<yahOOBC£X>kie> [New Selector) 
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New <google> selector 
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(TS//SI//REL) Since @gmaii.com<google> is a new selector, you will want to 

do a Marina Selector Profile query on it to see if there are additional accounts 
associated to the target. Remember NSA QUANTUM cannot target the <google> 
selector. 

{TS//SI//REL) 
You can do 
this by 
clicking on the 
selector, scroll 
down to Selector 
Profile, and dick 
Range. 





Application 


Entity a 


1 




■3 4 1- ■ ■. '-iIt ■ 
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p eMail 
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□ eMail 
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huh! f S 



1 1 1 1 1 -: I ■ I . Mill L|uu(|lt: ' 



Selector Oetafe 

Analytics 
Chats 



Fwwil Contort*; 32 

•1 Reverse 4-ontacts: b 
,"y Sent Messages 2 

Lngmf: <= 22 
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FVtssrvs Event 
Travel bataJ 
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(TS//SI//REL) Change the query to search for the last 3 Months and click Submit 
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* (TS//SI//REL) Once the query finishes, look at the Equivalent IDs section and make 
note of any new <yahoo>, <hotmail>, <yahooBcookie>, and <facebook> selectors and 
do the same process to identify additional selectors. 
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All Unique Selectors Found From Both Searches: 

<yahoo> (Known Selector 

) 
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(TS//SI//REL) Once you have a list of your selector(s), you will want to look at each one 
separately to check for the likelihood of successfully exploiting your tar qet via NSA 
QUANTUM. We are checking to see if the target itself is seen at US- and if it is active. 

(TS//SI//REL) First we want to run a Marina Active User/Presence (Federated) search on 

<facebook> for the past 14 days. 
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^3*rtt ,1 * : l**f (Ftdafaied) 
^SOTQ ftiHig Event Bv JP a±h 
"^ICCH& Client BV S4l9((Gr 

jtl I Anchofy 

SCJ Charts 
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1 (TS//SI//REL) You will either have results or not have results. The key is to look at the 
SIGAD for the results and if the SIGAD is capable of doing QUANTUM then you most 
likely have a vulnerable target! To check for SIGADs that NSA and GCHQ QUANTUM 
can target, type GO quantum in your browser If GCHQ QUANTUM is needed, then 
work with your R&T Analyst to follow the appropriate steps on the wiki to set up a PAR 

4 (TS//SI//REL) You will want to look at the Marina results and make note of the most 
frequent SIGAD/] P CIDR for each Active User/Presence (Federated) query 

1) Selector 

a) SIGAD 

b) Active User IP CIDR - The CIDR will be added to the TLN s Whitelist. 

-ATLN's Whitelist is a list containing the IP CIDRs your target uses. It is where the 

FOX AC ID server will only continue with exploitation if the external IP Address of 
the target/redirection is on the Whitelist for the TLN your R&T Analyst requests. 



Is My Selector Tasked for 

QUANTUM? 

If you sent your R&T analyst a selector to task for 
QUANTUMTHEORY and you want to see if it has been tasked yet, 
you can enter the selector in Target Profiler and if you see "tasked 
for survey" and the Technique to be QUANTUMTHEORY or 
QUANTUM NATION then it is tasked! You can also see when the last 
FOXACID redirection took place. 

| <c yahOO > received enidtl gs 2013-flnr-Ol 11:08:31 1 & 



jg vulnerable 

O tasked for -s-uivey 

o 



Tur 



Tartle ts Activity 



4f 



Technique: QUAWTUHTHEORY 
THkftda 2uL2-D«C-2€ l| 
Last Attempts 2C13-Mji-u1 (fail) 
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QUANTUM NATION 

QUANTUM NATION uses new TAO CNE tradecraft and automation to drive broad 
scale initial access, specifically an SSG cloud-analytic to identify selectors in SSO 
passive collection that are viable for end-point access, and the use of lightweight 
CNE implants to obtain initial access and survey data delivered to the TOPI offices 
via corporate SIGINT repositories. For More Information on QUANTUM NATION check 
the QUANTUMNATION wiki page 

Target Profiler now shows if a selector is vulnerable to a QUANTUM exploit. If your 
target is valid for QUANTUMNATION, A "Vulnerable" link in Target Profiler will 
appear. Simply click the link that sends an email to request QUANTUMNATION 
tasking. 

Hi^BM<?acebook> r^v^uTL^ mia, # np.j.3- zzjlsua j.-.ii.q i& • 

|H v li lnera b I* 

Vulnerabilities 

User A»jr#it;MHn:il|./5,Ci ["iP.d; CPU OS 5_0_1 likg M« OS X) Ajjpl*WoblWS34,46 CKHTML Itka <3»dke) V«r>ioi/5.1 MsbilW9AJd5 

Note: QUANTUMNATION and standard QUANTUM tasking results in the same 
exploitation technique. The main difference is QUANTUMNATION deploys a stage 0 
implant and is able to be submitted by the TOPI. Any ios device will always get 
VALIDATOR deployed. 
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A (TS//SI//REL) Once you have a selector, SI GAD, and IP CIDR, you are ready to start 
the process for a FOXACID TLN and Tag request, 

4 (TS//SI//REL) Depending on the teams, either an R&T analyst or the Branch Chief can 
create a TLN {Twisty Lobby Number). Contact your Branch Chief for information on 
creating a TLN for each selector you want to target, 



4 (TS//SI//REL) Note: You will need 1 TLN and 1 FOXACID Tag per selector you task with 
QUANTUM. 



Step 8: 

j (TS//SI//REL) Once you have a TLN, you will need to submit a FOX AC ID Tag request. 
* (TS//SI//REL) Go to hups:/ nsa/cgi-binP and fill out the appropriate 

information in the top and within the body of the ticket update this information accordingly. Here is an example: 

CTor Non-CT: Non-CT 

Second Party ; Partnering: No 

C ountry Region/T ype: 

FISA Target: No 

Type of O p: QUANTUM 

Utilizing WPTT No 

Project Name: 

TLN 12345 c Insert Your TLN 
- IP Range: ° Insert Your Active User IP CIDR / WHITELIST 

MAC Addresses: Unknown 
Pavload Requested; Val 
SiaxLr ^aje_201 30401 

MSQ Support No 



(TS//SI//REL) Once the ticket is completed, you will receive an email with the FOXACID 
Tag for your TLN. 

(TS//SI//REL) Go to https:/flp^T| ■ fSVBKlUl nsajc.govMB/index.php and 
fill out the appropriate information in the form to task your selector and tag for 

QUANTUM. 

(TS//SI//REL) Once your selector is tasked for QUANTUM you wilt see the status 
changed to complete. 

(TS//SI//REL) The last step it to monitor the TLN in FOXSEARCH 
https:/jta0VSpmsa ™ to look for 

redirections and update the plugins or WHITELIST if needed, 

(TS//SI//REL) De-task your quantum request when you hook your target' 



n 

{ if youjrayeany questio ns or comments about this presentation, please send an email 
j to ^^^^H at | (@nsa . ic gov 

) 
I 



